support configuration of TLS/SSL parameters like protocol version and ciphers

[bounddog]

I'm using Elasticsearch v5.4.2 with SSL enabled and Logstash v5.4.2.
The Elasticsearch was configured to accept TLSv1.2 protocol only. Enabled the SSL in elasticsearch output plugin in logstash, but the SSL handshake always failed due to SSL client in this plugin always use TLSv1 which is rejected by Elasticsearch. I found there is no way to configure the SSL protocol for this plugin.
I have to hack the elasticseach output plugin to make it work after I read this plugin source code.
edit file "logstash-5.4.2//vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.3.2-java/lib/logstash/outputs/elasticsearch/http_client_builder.rb"
Add bellow code to line 118:
ssl_options[:protocols] = ["TLSv1.2"]

I suggest you guys enhance the plugin to make it support the SSL protocol configuration.

[andrewvc]

How are you enabling SSL in Elasticsearch? Are you using xpack or something else?

[Petrox]

The server configuration does not matter, the need for configuring ssl as a client is independent of the server settings.

One might use a https proxy ahead of the real service, or reimplement the whole server in php, the client should use tls as it was meant to be.

[andrewvc]

@Petrox I agree with that, and we are planning a fix (which I should have mentioned) but it's always good to hear about what real-world use cases people are using.

[andrewvc]

By the way, which version of the JRE/JDK are you using? JDK7 disables TLSv1.1/1.2 on clients by default: https://superuser.com/questions/747377/enable-tls-1-1-and-1-2-for-clients-on-java-7

[bounddog]

@andrewvc Thank you for your reply, I used IBM java 8 for the testing, I didn't use the elastic xPack, I used another open source elasticsearch plugin for the elasticsearch SSL support.

[himmatb]

I am facing same issue as i am using searchguard as a plugin to Elasticsearch and which is configured to accept TLSv1.2 protocol only.

Even i am suspecting that below error due to SSL setting in elasticsearch output plugin, becoz i am using fluentd having the same configuration like certificates , authentication/autherization details along which ssl version option there its perfectly working :

09:51:39.661 [Ruby-0-Thread-5: /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:228] WARN logstash.outputs.elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://logging-es:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'https://logging-es:9200/'"}

I couldn't find any setting which will enable me to specify which SSL protocol logstash should use.